BBC News 54/100 83/100 bbc.mobile.news.ww bae42647bc64af3839943d6e53a3a8b4 Scan Engine Version: 4.2.6 MED HIGH Scan Date: 02-28-2018 Privacy Risk Security Risk This Technical Summary contains a mid-level summary and score information for an app’s identified risk conditions. This digest is intended for a technical audience and provides a listing of items we identified. Findings are separated into analysis areas, followed by categories and additional support details when available. Each finding is represented by a Red, Orange, Yellow or Green colored square. Red indicates a high level of risk and used to indicate when a test has failed. Orange indicates a moderate level of risk Yellow indicates a low risk or informational finding Green indicates that no risk conditions were identified and used to indicate when a test has passed. Index Privacy Summary Security Summary Analysis Data Leakage Libraries OWASP Summary Communications Privacy Summary 54/100 The privacy summary focuses on the application’s access to privacy data, including (but not limited to): user data, contacts access, unique device MED identifiers, adware, SMS, and insecure storage of data and communications. Content Providers are implicitly insecure. They allow other applications on the device to request and share data. If sensitive information is accidentally leaked in one of these content providers all an attacker needs to do is call the content provider and the sensitive data will be exposed to the attacker by the application.This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. Full details here. This app requests the device latitude and longitude. Full details here. Returns the current enabled/disabled status of the given provider. Full details here. This application uses getLastKnownLocation() to retrieve the last known GPS coordinates. This is used to retrieve the last known location of the device in the event that the location services are not available. Full details here. This application is requesting the device serial number information from the system build properties. Full details here. The application retrieves the IMEI/MEID, which is a unique identifier for the device. This opens up the potential for abuse by tracking a user across multiple applications. Further examination should be taken to identify if the IMEI is being sent off device. Full details here. This application is requesting the device build fingerprint from the system build properties. Full details here. The app retrieves ClipBoard data contents. Full details here. This application potentially gains access to the device ID. Full details here. Security Summary 83/100 The security summary focuses on risks contained in the application. These risks include (but are not limited to): risky functionality and code use, application HIGH capabilities, critical vulnerabilities and threats. This application is using the WebKit to download a file from the Internet. Full details here. The app sets the activity content to an explicit view. Full details here. Additional Android applications have been found bundled with this Android application. This is not an acceptable or standard developer practice and is often used with malicious intent with repackaged applications. Full details here. The application uses PendingIntent’s. These are dangerous because they can allow other apps to execute with the same level of permissions as this app, potentially resulting in permission elevation for the other app. Full details here. The app may potentially use WebSocket (https://tools.ietf.org/html/rfc6455) based communications with remote servers. Full details here. The app enables WebView to execute JavaScript code Full details here. The app uses a method to blindly load all apps and jar files located in a directory. Potential exists for abuse by malicious parties. Full details here. This application has the ability to load an alternate classes.dex file. Alternate classes.dex files could contain malicious functionality, payloads and at the least open up additional security and privacy risks. This functionality can be seen applications when attempting to evade analysis. If the application requires root access additional precautions should be taken. Full details here. The app can manipulate its user agent string. Full details here. This application uses sockets to open up a communications channel. Full details here. This app is requesting permissions during runtime. Full details here. This application exposes objects to the WebView's Javascript. This could allow code injection or indirect access to internal objects/methods. CVE-2013-4710, CVE-2012-6636. This vulnerability is mitigated in Android 17 or greater. Full details here. This app has configured WebView to allow Javascript to open windows without user prompt. Full details here. Determine whether the calling process of an IPC or you have been granted a particular permission. This is the same as checkCallingPermission(String), except it grants your own permissions if you are not currently processing an IPC. Use with care! Full details here. The application was found to contain obfuscated method names. This can be used by legitimate developers to protect intellectual property and used by others to conceal potentially malicious code. Full details here. Code exists to start a service, which could in turn start a separate application on the device if it is not already running. Full details here. This application uses synthetic method to access private class entries which are normally not accessible. This is a suspicious and unusual coding practice that should be reviewed. Full details here. This app is invoking the Java reflection method. Full details here. The app contains exported components not protected by permission. Full details here. The app is not doing active checks for validating SSL certificates. It may allow self- signed, expired or mismatch CN certificates for SSL connections. Full details here. The app is writing information in the system Log. Full details here. Analysis Activity The app sets the activity content to an explicit view. Details: uk.co.bbc.smpan.ui.fullscreen.FullScreenPlayoutActivity com.urbanairship.actions.LandingPageActivity com.urbanairship.messagecenter.ThemedActivity com.urbanairship.ChannelCaptureActivity net.hockeyapp.android.ExpiryInfoActivity net.hockeyapp.android.LoginActivity net.hockeyapp.android.FeedbackActivity com.google.android.gms.ads.AdActivity android.support.wearable.activity.ConfirmationActivity android.support.v7.app.AlertController bbc.mobile.news.v3.fragments.managetopics.EditMyNewsActivity bbc.mobile.news.v3.app.ToolbarActivity 26 total classes, shown 10 This app is requesting permissions during runtime. Details: android.support.v4.app.FragmentActivity This application requests a list of all running applications to include applications that are frozen in state by the system. This is an informational finding. Details: com.google.android.gms.internal.zzagy This app can retrieve the list of running apps. Details: com.google.android.gms.gcm.zza com.google.android.gms.internal.zzgz com.google.android.gms.internal.zzrr com.google.android.gms.internal.zzagy Address Book This application access the user's contacts. Details: com.squareup.picasso.ContactsPhotoRequestHandler Computes a content URI given a lookup URI. Details: com.squareup.picasso.ContactsPhotoRequestHandler Opens an InputStream for the contact's photo and returns the photo as a byte stream. Details: com.squareup.picasso.ContactsPhotoRequestHandler$ContactPhotoStreamIcs com.squareup.picasso.ContactsPhotoRequestHandler Binary Protections Testing This application exposes source level metadata symbols and fails the testing outlined by OWASP Mobile Top 10. This application fails the Source Code Reverse Engineering Exposure test as outlined by OWASP Mobile Top 10. Bluetooth This application checks the current ready state of Bluetooth functionality. This is an informational finding. Details: com.urbanairship.analytics.data.EventApiClient Broadcast Action The app registers a BroadcastReceiver. Details: uk.co.bbc.smpan.android.DefaultBroadcastReceiverRegistrar com.squareup.picasso.Dispatcher$NetworkBroadcastReceiver com.urbanairship.push.adm.AdmPushProvider com.google.android.gms.iid.zze com.google.android.gms.common.GoogleApiAvailability com.google.android.gms.common.util.zzk com.google.android.gms.internal.zzge com.google.android.gms.internal.zzacb com.google.android.gms.internal.zzfi com.google.android.gms.internal.zzagy com.google.android.exoplayer2.audio.AudioCapabilitiesReceiver com.google.android.exoplayer2.audio.AudioCapabilities 17 total classes, shown 10 Calendar This application queries the Calendar on the device. Details: uk.co.bbc.echo.live.Schedule com.urbanairship.preference.QuietTimePickerPreference com.urbanairship.push.QuietTimeInterval com.google.android.gms.internal.zzdg com.google.ads.mediation.MediationAdRequest com.urbanairship.push.PushManager com.urbanairship.analytics.Event android.support.v7.app.TwilightManager bbc.mobile.news.v3.util.BaseNewsDateUtils bbc.mobile.news.v3.modules.item.CopyrightFooterModule bbc.mobile.news.v3.common.util.Utils Code Analysis The application uses PendingIntent’s. These are dangerous because they can allow other apps to execute with the same level of permissions as this app, potentially resulting in permission elevation for the other app. Details: uk.co.bbc.smpan.audio.notification.androidNotificationSystem.AndroidNotificationFactory